A major security breach has impacted multiple decentralized applications (dApps), with the attack stemming from malicious code injected into Lottie Player, a widely-used JavaScript animation library.
The attack exploited recent updates to Lottie Player’s npm package, specifically in versions 2.0.5 through 2.0.7, where hackers embedded malicious code within JSON files that display animations on websites.
At least one individual has lost 10 BTC (US$723,000) after unknowingly signing a phishing transaction linked to the breach, according to Scam Sniffer, a platform designed to protect users from online fraud.
'We Messed Up': Gala Games Confirms $240 Million Worth of Tokens Swiped via Exploit
The price of the Gala Games (GALA) token plunged on Monday after an attacker minted and made off with 5 billion tokens via the Gala smart contract, with the swiped tokens worth around $240 million at the time of the exploit. Ultimately, the attacker managed to sell 600 million of the tokens via decentralized exchange Uniswap, or about $29 million worth at the time of the exploit. The price dropped 20% in less than an hour amid the selling, plunging from about $0.048 to $0.038. “A compromised or...
Blockaid, a cybersecurity platform monitoring the incident, confirmed Wednesday the attackers deployed a fake wallet connection prompt, leading users to the drainer malware "Ace Drainer," which mimics legitimate connections to deceive users.
According to Blockaid, the hackers added harmful code into Lottie Player’s files, turning these animations into entry points for potential scams. Essentially, when users visited sites with this compromised library, they were shown fake pop-ups asking them to connect their digital wallets.
However, these prompts were controlled by hackers and could grant them unauthorized access to users’ funds.
In response to the attack, LottieFiles’ vice president of engineering, Jawish Hameed, confirmed Wednesday that affected versions were removed from npm, and a safe version (2.0.8) was released.
LottieFiles pointed Decrypt to its public statement regarding the breakdown of events when asked for comment.
DeFi Protocol DeltaPrime Suffers $5.9 Million Loss in Private Key Exploit
Crypto cybersecurity firm Cyvers has reported a security incident affecting DeltaPrime, a decentralized finance (DeFi) protocol on the Arbitrum network. According to a tweet from Cyvers, the ongoing incident resulted in an initial estimated loss of $4.5 million—subsequently updated to $5.93 million as a “suspicious address” continued to drain funds from DeltaPrime’s liquidity pools. 🚨ALERT🚨@DeltaPrimeDefi has faced a security incident on their admin keys. Attacker had control on the private k...
Hameed noted the breach involved the GitHub account of a senior engineer, through which attackers pushed three compromised updates in just three hours on Tuesday.
LottieFiles has since revoked all access from the affected developer account and taken further steps to prevent future incidents.
This type of “supply chain attack”—where hackers infiltrate widely-used software that many websites rely on—can have widespread consequences. In this case, the compromised Lottie Player versions were automatically pulled into many sites, making it easier for hackers to reach users.
Decentralized aggregator platform 1inch, one of the main targets of the attack, reassured users on social media that only its web dApp was affected and that the wallet app and core protocols remain secure.
Crypto CEO Loses $450K to 'Best Friend' After Connecting to His WiFi
The former CEO of an emerging crypto project lost $450,000 to his “best friend” simply by connecting to his WiFi network. This was part of what is an emerging trend called a “Proximity Breach,” noted by anti-money laundering firm AMLBot. Tom, whose full identity must remain hidden due to AMLBot’s investigation policy, left a crypto company and sold his stake for $500,000. This represented most of his net worth as he moved from Europe to a country in Asia. During his time living in the new countr...
Security compromises in widely used libraries and tools have become a critical issue as hackers exploit vulnerabilities that allow them access to unsuspecting users’ assets.
Earlier this month, a PEPE token holder lost $1.39 million after unknowingly signing a malicious Permit2 transaction.
Edited by Sebastian Sinclair
